Snort mailing list archives
snort3 - is there any file_id .lua inspector plugin template to change verdict.
From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Wed, 1 Jun 2022 08:13:12 +0300
Hi, I'm trying to write a ClamAV plugin for detected files by snort3. Is there any .lua or .cc plugin example for this ? If it's possible, I'm thinking to write file_id inspector plugin, scan file and then set verdict or generate GID / SID event ( like DetectionEngine::queue_event(DF_GID, DF_SID); ) and block packets with GID/SID. Is it the right way? If not, which way do you suggest ? Thanks & Regards Özkan. _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3 - is there any file_id .lua inspector plugin template to change verdict. Özkan KIRIK via Snort-devel (May 31)